This question came from our site for professional and enthusiast programmers.

1

tcpdump is the magic command you want. Wireshark is a nice GUI on top of the library tcpdump uses
–
Vinko VrsalovicAug 13 '09 at 22:48

2

I know this is an old question but I'm curious to know why using nc for the "server side" as well wasn't an option? "nc -l 1234" creates a server that listens on port 1234 and prints out whatever is sent to it and closes the connection. If you want to keep the connection alive and not disconnect you can add the "-k" option.
–
StFSAug 13 '14 at 14:20

Wow. tcpflow is awesome, thanks! Saved me a TONNE of pain I was having with wireshark. Wireshark, tcpdump, etc have way too much info and don't actually do what the original question asks. tcpflow is perfect for this.
–
RussApr 19 '12 at 22:24

8

From tcpflow version 1.3 the -e option is used for specifying the scanner name. So the error "Invalid scanner name '8983'" is printed. The correct command is sudo tcpflow -i any -C -J port 1234
–
Michal KováčMay 22 '14 at 9:50

DESCRIPTIONtcpflow is a program that
captures data transmitted as part of
TCP connections (flows), and stores
the data in a way that is convenient
for protocol analysis or debugging. A
program like tcpdump(4) shows a
summary of packets seen on the wire,
but usually doesn't store the data
that's actually being transmitted. In
contrast, tcpflow reconstructs the
actual data streams and stores each
flow in a separate file for later
analysis. tcpflow understands TCP
sequence numbers and will correctly
reconstruct data streams regardless of
retransmissions or out-of-order
delivery.

tcpflow stores all captured data in
files that have names of the form

192.168.101.102.02345-010.011.012.013.45103

where the contents of the above file
would be data transmitted from host
192.168.101.102 port 2345, to host 10.11.12.13 port 45103.

Set up a connection from your application app to your server.
When the connection is up and running, tcpflow is still able to capturs data from it
For exemple:

$ sudo tcpflow -i lo port 5555
tcpflow[3006]: listening on lo

Every data will be stored in a file named 127.000.000.001.48842-127.000.000.001.05555.

You may still redirect this on the standard output with the option -Cs .
Read the manual page to play with expression to tune the paquets you want tcpflow to capture.

ngrep is very nice for this. It takes a BPF string and an optional string to search for within the packets, and then dumps the packet contents to screen in a pretty useful format. It optionally also dumps to a pcap_dump file that you can examine more closely in Wireshark later.